Cyber-security industry 2017 predictions: reaching the tipping point

SC's Roi Perez sifts through a mountain of predictions for cyber-security in 2017 to pick out recurrent trends, specific predictions and warnings as to where we need to prioritise our defences in the year ahead.

Where will 2018 take us?

2016 was quite a year for cyber-security. With cloud services becoming near ubiquitous, unsecured Internet of Things devices delivering on their threat of being a major security headache, autonomous cars gaining frontpage coverage thanks Tesla and the changing face of business and consumer technology, it's safe to say that criminals are basking in the glory of an ever-growing attack surface on which lays the next bitcoin-shaped pay slip for those with more daring than moral scruples.

Raj Samani, CTO EMEA Intel Security said: “To overcome the designs of cyber-criminals, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamic. This means focusing on six key areas: We need to make it harder for hackers to obtain information and more expensive for them to launch an attack. Meanwhile on the corporate side we must improve visibility, better identify exploitation of legitimacy, improve protection for decentralised data, and detect and protect in agentless environments.”

Looking at 2017, many in the security industry are predicting not only more of the same, but new and improved techniques which will take cyber-attacks to the next level. One of the most notable is from Jason Hart, CTO Data Protection, Gemalto, who is predicting that data integrity breaches are set to send shockwaves throughout the world in 2017, with at least one ‘almighty' breach disclosure of this type expected next year.

Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Data integrity attacks compromise that promise, with the aim of gaining unauthorised access to modify data for various ulterior motives, such as financial or reputational damage.

Hart said: “Data integrity attacks are, of course, nothing new, yet they remain under the radar of businesses who have an ever increasing reliance on data and make huge business decisions based on its analysis. These types of attacks are what I like to call the ultimate weaponisation of data.”

Mike East, vice president of sales EMEA at CrowdStrike said, “In 2017, the manipulation of data to remove its integrity will be significant enough to send companies under. Organisations need to be continually and proactively assessing their networks to understand how they are compromised. Too many are focusing on the “known” bads, rather than trying to understand the threat of the unknown.”

Dave Palmer, director of technology at Darktrace said: “The scenario is particularly worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at particular risk. Governments may also fall foul of such attacks, as critical data repositories are altered, and public distrust in national institutions rises. These ‘trust attacks' can also be expected to disrupt the financial markets. An example of this is falsifying market information to cause ill-informed investments. We have glimpsed the potential of disrupted M&A activity through cyber-attacks already - is it a coincidence that the disclosure of the Yahoo hack happened while Verizon was in the process of acquiring the company?”

2016 was, by and large, the year of the DDoS attack. With the Europol takedown of DD4BC, a gang offering DDoS-as-a-service in return for Bitcoins, and the gang from Israel, vDOS which got caught because of a minor security vulnerability in its website which revealed their identities. What followed was major DDoS attacks on security blogger Brian Krebs' website with a record-busting 620Gbps attack, which was followed by a further even larger 1.1Tbps attack on French web hosting company OVH. As it transpired, the same botnet was responsible for both attacks.

A mere week or so later, the same still unnamed botnet attacked Dyn, a DNS provider which supplies their services to some major websites on the internet such as Spotify and Reddit. Causing mass-hysteria, user ‘Anna-Senpai' released the source code to the Mirai botnet on HackForums, claiming it could pull in over 300k IoT devices, all thanks to its use of a 60-long list of default credentials device-owners forgot to change, or simply couldn't as they were ‘burned in'. Some security vendors such as Digital Shadows said the release of the code to Mirai wasn't what it was painted to be, as it wasn't as easy to deploy as you might think, however did say should the criminal posses the appropriate know-how, it could cause a lot of damage.

There is both good and bad news on this front. Robert Page, lead penetration tester at Redscan claimed that there will be, “Wider calls for product security ratings. Instead of rushing products to market, manufacturers need to take a more responsible approach by making cyber-security testing a fundamental part of the launch cycle. By improving the security of software and devices, vendors can help to better protect their customers by reducing zero-day exploits and damaging DDoS attacks that target insecure credentials. In the meantime, organisations should make it a New Year's resolution to harden the security of their products by implementing security testing and rewards programmes that involve a broad range of penetration tests and vulnerability assessments.”

Dave Larson, CTO/COO at Corero Network Security said: “Following the significant new high-volume attacks experienced in 2016, botnet-driven DDoS attacks will be the biggest security threat for 2017. In the year ahead, we will likely see Terabit-scale, multi-vector DDoS attacks becoming the new normal, with the potential to knock entire countries offline. Our entire digital economy depends upon access to the Internet, and so organisations should think carefully about business continuity in the wake of such events. For example, it may be prudent to have back-up telephone systems in place to communicate with customers, rather than relying solely on VOIP systems, which could also be taken down in the event of an attack.”

Some security experts are claiming that the IoT will shut down the internet and bring about new committees to focus on hardening it. Rob Juncker, vice president of engineering at Landesk said: “We saw it in the DYN DDoS in 2016… We now know how to shut-down the internet and more than likely, the whole DYN attack was nothing more than a decoy for an attack that will dominate the news for 2017. In the wake of this, we're going to re-evaluate the role of key protocols like DNS and come up with resilient ways to pave the passageways of the internet and plumb their pathways.”

April 2016 saw the European Parliament approve the GDPR. The EU General Data Protection Regulation (GDPR) passed final approval in the European Parliament. This represents the fruit of four years of work, seeking to harmonise levels of data protection in all 28 members states of the EU. Throughout the year, SC has published many articles discussing its effects on business, on law and whether or not companies are doing enough to get ready to become GDPR compliant in time for when the rules come into force in May 2018.

Security vendor Forcepoint said: “2017 will be the final full year before the European Union's (EU) General Data Protection Regulation (GDPR) is a legal requirement. The GDPR demands may drive business costs higher as new data protection controls are applied and multiple stakeholders grapple with the who, when and how of data accessibility requirements.”

Javvad Malik, security advocate at AlienVault adds: “In Europe, breach reporting requirements have been discussed for some time and will come into force with GDPR. However, there is also a general global trend where customers and stakeholders want to see companies display more vigilance. Set against this backdrop, it won't be surprising to see stakeholders, regulators and even customers lobby for stronger breach reporting, which may set the foundation for new legal requirements.”

Darran Rolls, CTO, SailPoint says: “When people begin to truly understand the implications of what GDPR means for businesses today, it's going to result in a lot more disclosure in general. While no-one will be penalised until 2018, businesses must begin to align their processes in the coming year in order not to get caught out. For example, if you lose your laptop, which contains a list of customers on its hard drive, and it's not encrypted, your company will have to declare that publicly to avoid a hefty fine. The GDPR ‘wake-up call' will likely see companies scrambling to get organised in 2017.”

Adam Oldfield, EMEA financial services sales director at Unisys said: “Organisations will be readying themselves for the pending regulations that are going to impact financial institutions of all kinds throughout 2017 and into 2018. Confirmed fines for not conforming to regulatory requirements are not cast in stone for 2017, as it will be as we enter the GDPR, however we have seen throughout 2016 regulators continuing to tighten up their stringency in relation to non-compliant organisations. Will we see organisations attempt to bolster their security teams internally, and look to outsource or leverage for market capabilities. What is going to be very interesting to see is how institutions are going to interpret these upcoming regulatory constraints on their organisation. An interesting area to consider with GDPR for example is how consumers will consent to information to be collated. How will businesses define, for example, what biometric data is and does this include an individual's behavioural footprint? This kind of information is just starting to become mainstream, and leaders in the industry will be looked to set the standards for best practice.”

Nation-state sponsored attacks are predicted to rise in 2017, following a turbulent 2016 which saw many hacks attributed to the hacking-chops of countries such as Russia and China. Russia is accused of heavily swaying the result of the 2016 US Presidential Election by hacking and publishing sensitive information, and China is accused of orchestrating the hack on German steel manufacturer ThyssenKrupp, to steal some of its intellectual property in the form of trade secrets.

Patrick Peterson, CEO of Agari, said: “Nation state attacks have set the tone for other cyber-attacks. They have changed since their first use, initially they were used to destruct – internet connection to power grids and Uranium centrifuges. Now they are being used to extract sensitive information and money, as seen most recently the attack on the Bangladesh national bank via SWIFT.”

Colin Tankard, managing director of security company Digital Pathways said: “Nation state hacks will increase but will be focused on commercial espionage rather than political drivers. This is because of the general decline in prosperity in Asia and the need to seek new products or technologies.”

Sean Sullivan, security advisor at F-Secure said: “Russia and their cyber-espionage capabilities made headlines in 2016 thanks to their perceived involvement in the recent US presidential election. But China, and the prospect of them using cyber- attacks to dig up dirt on the incoming administration, are the threat actors the US needs to start worrying about. It wasn't too long ago that everyone was upset about China. The Office of Personnel Management hack disclosed in 2015 was reported to affect as many as 14 million people. It was enough for Obama to push back against China on cyber-security matters. But the new administration seems to be blissfully unaware as to how and why nation-states use cyber-attacks to develop their political interests.”

Sullivan added: “For example, the incoming national security advisor apparently once had an unauthorised internet connection installed in the Pentagon, basically eliminating the “air gap” used to safeguard one of the US' most important national security centers. Stuff like this makes Michael Flynn a cyber-attack victim waiting to happen. As for motive, a normal presidential transition would attract China's attention, as they would like to catch “sneak peeks” or a “behind the scenes look” at the policies and positions of the incoming administration. But this wasn't a normal election. Trump and his political network have been causing controversy throughout the campaign. Pulling that thread by digging up non-public dirt can help China gain leverage over Trump's team, and actually unravel initiatives, policies, and positions that might run counter to their interests. And China has the motives and capabilities to make this happen in 2017.”

ThreatConnect CEO Adam Vincent said: “2017 will see an increase in strategic state-backed hacking among developed nations, with more poorly-equipped countries jumping on the bandwagon with less sophisticated attacks. The use of cyber-espionage reached a new level of maturity in 2016. We will see an increasingly vocal response from western governments to escalating Russian hacking activity as we begin to move towards more codified rules of cyber-engagement. 2017 will still be a period of unfettered hacking activity, however, as state actors use aliases to mask their involvement. Organisations with any strategically useful information, whether in the public or private sector, must prepare themselves to deal with highly sophisticated phishing, infiltration, and data leaking campaigns.”

Throughout 2016, ransomware made many headlines, and many more are predicted for 2017. Ransomware has infected everything from hospitals to big business.. According to security company Watchguard, 2017 will see the first ever Ransomworm, causing Ransomware to spread.

The firm said: “Cybercriminals will take ransomware to the next level in 2017 by introducing the kind of auto-propagating characteristics traditionally found in network worms like CodeRed and Conficker. This will result in a breed of ransomware designed to produce endless duplicates of itself, spreading the infection across an entire network.”

Kaspersky Lab security experts are anticipating the continuing rise of ransomware, but with the unlikely trust relationship between the victim and their attacker – based on the assumption that payment will result in the return of data - damaged as a lesser grade of criminal decides to enter the space. This could be the turning point in people being prepared to pay up.

Security firm Sophos said: “As more users recognise the risks of ransomware attack via email, criminals are exploring other vectors. Some are experimenting with malware that reinfects later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files. Recent examples have offered to decrypt files after the victim shared the ransomware with two friends, and those friends paid to decrypt their files. Ransomware authors are also starting to use techniques other than encryption, for example deleting or corrupting file headers. And finally, with "old" ransomware still floating around the web, users may fall victim to attacks that can't be "cured" because payment locations no longer work.”

Dell's SecureWorks security experts predict that the number of ransomware attacks will continue to increase in 2017, and that malware creators will continue to develop more sophisticated malware. In 2016, the success of professional-grade ransomware relied on the RSA encryption algorithm for key exchange and storage, and the Advanced Encryption Standard (AES) algorithm to encrypt victims' files. Using the RSA algorithm allowed attackers to securely exchange and store the encryption key generated for AES so that it was never exposed by file-system forensics or network traffic monitoring.

SecureWorks researchers also observed a threat group deploying ransomware only after it had established and maintained a foothold in the victim's environment for weeks. Having access to the target's infrastructure for extended periods of time enables a threat actor to do reconnaissance and discover where and what valuable data is being stored by the victim.

“Though most ransomware attacks are not targeted, it is likely there will be an uptick in targeted attacks in 2017 as well,” said Alexander Hanel, a security researcher at SecureWorks. “Compromising corporate environments through targeted attacks allows the attackers to request more money than they would receive from a typical user. That makes enterprise targets more attractive.”

Patrick Wheeler, director at Proofpoint said: “In 2016, every week seemed to see a new, unprecedented height in email campaigns delivering Locky ransomware. These campaigns target hundreds of millions of potential victims globally and ensure that even with low delivery rates many thousands of messages will still reach their targets. We predict that in 2017, small will be the new big, as sophisticated threat attackers return to smaller, more targeted campaigns to deliver their malware payloads. High volume email campaigns will continue but will be reserved for ‘commodity' payloads such as zipped executables (including JavaScript) delivering off-the-shelf ransomware variants, while smaller, more targeted campaigns will increase both in number and sophistication. Exploit kits will continue their recent trend of operating at smaller scale and shifting geo-targeting to focus on regions where their activities are less likely to be monitored by researchers and vendors.”

The insider threat is likewise predicted to rise in 2017. In 2016, major companies such as Sage and Expedia become victims of insider-based attacks.

Dave Palmer, director of technology writes: “Insiders are often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of, and privileged access to, information required for their jobs, and can hop between network segments. If you are a disgruntled employee looking to do damage, your best chances are through a cyber-attack. In 2017, we can no longer reasonably expect 100 percent of our employees and network users to be impervious to cyber-threats which are getting more and more advanced – they won't make the right decision, every time. Organisations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don't expect our skin to protect us from viruses – so we shouldn't expect our firewall to stop advanced cyber-threats which, in many cases, originate from the inside in the first place.”

Mark Noctor, vice president EMEA for Arxan Technologies said: “Insider attacks will continue to grow and get more sophisticated – whether it's the disgruntled employees attacking to take out their anger at the employer, or employees collaborating with external hackers for monetary gains, these types of attacks will continue to grow because they are easier to execute. Now these attacks will be targeted more at the mobile and IoT infrastructure.”

The cloud will remain a hot topic in 2017. Security experts are still divided on the battle between on-prem and cloud services, but the biggest threats remain those coming from the inside.

Derek Manky, global security strategist at Fortinet said: “The expanding attack surface enabled by technology innovations such as cloud computing and IoT devices, a global shortage of cyber-security talent, and regulatory pressures continue to be significant drivers of cyber-threats. The pace of these changes is unprecedented, resulting in a critical tipping point as the impact of cyber-attacks are felt well beyond their intended victims in personal, political, and business consequences. Going forward, the need for accountability at multiple levels is urgent and real affecting vendors, governments, and consumers alike. Without swift action, there is a real risk of disrupting the progress of the global digital economy.”

Greg Hanson, vice president worldwide consulting at Informatica said: “Security will no longer be a question of on-premise or cloud. It's no longer about whether on-premise or cloud is more secure, but rather about understanding that breaches come from the inside. Threats exist inside the firewall and as a result perimeter defence has long since been ineffective. After all, the biggest threat to an organisation's security posture doesn't come from the kind of infrastructure and software it uses, but the people. The amount of data that business users are consuming and demanding means it's the data management strategy that is imperative. Security posture in 2017 will be defined by an organisation's ability to carve out a cohesive data management strategy to track data wherever it resides, and secure it at its source.”

Hitesh Sheth, CEO of Vectra said: “Bad actors will focus on the soft underbelly of data centres and cloud deployments by gaining control of firewalls, servers and switches that make up the physical infrastructure. According to the website Shadow Server, there are still more than 816,000 Cisco firewalls connected to the Internet that are vulnerable to Equation Group exploits and sub-OS rootkits exposed by the Shadow Brokers hacking group. Attackers heard this wake-up call about a vast number of vulnerabilities and will exploit them in 2017.”

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.